Qualys Web Application Scanning 


Training Documents 


* Download the Presentation Slides and Lab Tutorial Supplement 
from: 


Qualys Sharepoint site - https://bit.ly/qsc2021-was 


Lab Tutorial Supplement 


e All lab activity for this course is performed in a simulated lab environment 


* Please refer to the WAS Lab Tutorial Supplement for the following: 
Link to start the lab (each lab topic has a separate link) 
Overview of the steps performed for each topic 


Additional supporting information 


Additional Reading 


e WAS Getting Started Guide - https://www.qualys.com/docs/qualys-was- 
getting-started-guide.pdf 


e WAS API User Guide - https://www.qualys.com/docs/qualys-was-api-user- 
guide.pdf 


Agenda 


WAS Overview 

Basic Web Application Setup and Discovery 
Advanced Web Application Setup and Scanning 
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WAS Reporting 

Tagging and Users 


Burp and Bugcrowd Integration 
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Malware Detection 


Web Application Scanning Overview 


WAS Overview 


Automated Testing (Fault Injection) 

e Submit "specially crafted" characters 

* Observe the server's response 

* This represents 80 — 85% of Web app vulnerabilities 
Manual Testing (BURP Integration) 


e Automated tools effectively detect Web application bugs (SQL 
execution inside user input) 


e Human beings are much better at discovering program design flaws 


What Do Automated Tools Miss? 


Logic Errors: Point of authentication vs. point of authorization 


* Forced Browsing Links - user forces access to unauthorized 
link. 


Permission Errors: File system permissions have a 
significant impact on application security. 


* Public file share that has employee payroll and medical 
records. 


These typically require manual testing and detection. 
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KnowledgeBase and Search Lists 


What do we check for? 
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Web App Vulnerabilities 
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Search Lists Overview 


User-defined Groups of QIDs 
e Static search list - Manually defined 
* Dynamic search list - Criteria-based 


Benefits 
* Dynamic List updates when new QIDs meet the 
search criteria 
* Nolimitation to the number of QIDs in search list 


Search Lists Overview 


Search lists allow you to modify the 


Dynamic Search List Creation Tum help tips: On | Off Launch help xX 
vulnerabilities for which you are: Em —A 
e Scanning ! UmDPae v cep 
i © Searcncriteria y ~ patch Available 
z Reporting 3 Comments 
Example: 


e Run a scan for only SQLi 


e Exclude a vulnerability from a 
scan 


* Build a report for only XSS ‚Sneckalı) clear) ( Tet ) (Previous ) CE 


Lab 1 and 2 


Please follow pages 3 — 5 from the Lab Tutorial 
Supplement 


Lab Supplement - https://bit.ly/qsc2021-was 


Lab 1 - KnowledgeBase 
Lab 2 - Search Lists 


15 min. 


Basic Application Setup and Discovery 


Defining an Application 
An application is: 


e A business function typically requiring login 


e Running unique code 


Defining Applications — Unique Business Process 


Example site: 
http://site/admin/ 
http://site/hr/ 
http://site/finance/ 


Scenario 1: 

e Each directory is 
part of a single 
app ifthey are 
part of an Intranet 
Portal 

e (1 app total) 


Scenario 2: 
Authentication 
credentials are 
different for each, 
with different 
business functions 
(3 apps total) 


Defining Applications — Different ports 


Example site: 


E-commerce site that 
authenticates over https, allows 
browsing over http a catalog: 


https://e-commerce:443/login.cgi 
http://e-commerce:80/browse.cgi 


Scenario: 
WAS users only need to define the 
starting port. 
The scanner will discover all ports in 
other links. 
(1 app total) 


Defining Applications — Different Ports 


Example site: 
http://intranet:80/index.cgi 
http://intranet:8080/index.cgi 


Scenario 1: 
e Ifthe app on port 
80 has links to app 
on port 8080 
e Links are same 
business function 
(1 app total) 


Scenario 2: 
If app on port 80 
doesn't have links 
to port 8080 
Links are different 
business functions 
(2 apps total) 


Defining Applications — Different hostnames 


Example site: 
http://production.domain:80/ 
http://qa.domain:80/ 
Generally considered 2 applications 
because they are separate 
hostnames 


Web Applications - Filtering 


i your apps by: 
URL 

e Tags 

e Scan information 

* Last Scan Date 

e Last Scan Status 

e Scanner Appliance 

e Scanner Appliance Tags 

* Authentication Record 

e Custom Attribute 

* Creation Date 


© Qualys. Enterprise 


Web Application Scanning 
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Scanner Tags 


Web Applications Scans 
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Search Results 


{| First app 


.| App 1 - Demo - Mission 


[^] First snow app 


| Catalog Web Application: centos6.dfw.lab, Port 


| Bodgeit Store application 


w 


Burp Reports 


v New Web Application | | Import | | 1 


https://demo06.8s02.sjc01.qualys.com:443/ 


http://34.201.91.241:8080/bodgeit/ 
10 Sept - Webex 
http//54.84.232.118:8080/bodgeit/login. jsp 


Banking app 
https://demo06.s02.sjc01.qualys.com:443/ 


http://54.84.232.118:8080/bodgeit/login.jsp 
Course App 
http://54.84.232.118:8080/bodgeit/login.jsp 
2nd App - 2 
https://demo06.s02.sjc01.qualys.com:443/ 
http://centos6.dfw.lab:8080/ 


http://54.84.232.118:8080/bodgeit/login.jsp 


http//54.84.232.118:8080/bodgeit/ 


Web Applications — Bulk Edit 


B | k E d it Web Application Edit: (3) Web Applications Turn help tips: On | Off Launch help % 
u It: 
" 


: Tum 
Edit Mode Tell us the scan settings you'd like to change 
e Ow n e r Asset Details 3 web applications will be updated with your changes 
Select the scan settings you want to edit. Once you click Save we?ll apply the change 


Application Details Default Scan Options 
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Comments 
Scanner Applicance 


e Scanner Appliance 


Cancel Option 


* Header Injection 


Crawling Hints 


e Authentication Record 


e'll crawl all links and directories 
r sites are scanned 


Removing Web Applications 


j Q lys. Enterprise 
Used to remove retired (€ Qualys. enter: 
Web Application Scanning v 


Appl ications Dashboard 


Web Applications Scans Burp Reports 


[E] Web Application Management Web Applications 


Like VM, does a full purge for that 
web app within Qualys 


ew SP. halys.com:44 — 


View Report 
i dgeit/ 
Scanner Tags Find... b lbdgeit 
V > bdgeit/login.jsp 
Schedule b 
Scan Status Save As salys.com:443/ 
= Add Comment bdgeit/login.jsp 
Running 
Finished Add Tags 
No Host Alive bdgeit/login.jsp 
Remove Tags 
No Web Service 9 
Service Errors Detected Purge galys.com:443/ 
Time Limit Reached r \ntos6.dfw.lab, Port 
Canceled | Remove Web Assets | 
I, 


Crawl Scope 


Crawl Scope 


Web Application Edit: My First App 


Edit Mode 


Asset Details 


Application Details 


Scan Settings 
Crawl Settings 


Redundant Links 


Tell us about the web application you want to scan 


Target Definition 


Web Application URL (or Swagger file URL) 
https: / /demo06.s02.sjc01.qualys.com/ 


Crawl Scope* 


| Limit to content located at or below URL subdirectory v. 


Limit to content located at or below URL subdirectory 
Limit to URL hostname and specified sub-domain 
Ë Limit to URL hostname and specified domains 


ocope - Limit to URL hostname 


Select this to crawl the hostname within the URL using http or https and any port 

Example: http://www.example.org/new 

e All links in the http://www.example.org domain will be crawled 
http://www.example.org/support 
http://www.example.org:8080/news 

* Links from www.example.org will not be followed 
http://video.www.example.org 


http://cdn.example.org 


ocope - Limit to content located at or below Sub- 
directories 


We can limit crawling to the starting URI and its sub-directories. 


Using the above web application, the scanning engine will start its scan at 
http://www.qualys.com/research/. From this page, links will be found to: 


http://www.qualys.com/research/exploits/ 
http://www.qualys.com/research/top10/ 
http://www.qualys.com/research/vulnlaws/ 
http://www.qualys.com/research/knowledge/ 


Sample Web Application: 


Virtual Host: www.qualys.com http://www.qualys.com/ 
Port: 80 http://www.qualys.com/products/qg suite/ 
A http://www.qualys.com/customers/ 


Staring URI: /research/ 


etc... 
From this list of links discovered, the scanning engine will NOT crawl: 


http://www.qualys.com/ 
http://www.qualys.com/products/qg_suite/ 
http://www.qualys.com/customers/ 


Notes: 
http://www.qualys.com/ will not be crawled because it is a parent directory of /research/. 


http://www.qualys.com/products/qg_suite/ and http://www.qualys.com/customers/ will not 
be crawled because they are not child directories of /research/. 


ocope - Limit to URL hostname and specified sub- 
domain 


We can limit it to crawl only sub-domains 


Web Application URL 
https: / /demo06.s02.sjc01.qualys.com:443/ 


Crawl Scope* 
Limit to URL hostname and specified sub-domain MA 


Restricted to sub-domain* 


Scope will be limited to URL https://demo06.s02.sjc01.qualys.com/ and sub-domain .s02.sjc01.qualys.com, using HTTP or 
HTTPS and any port. All links discovered in demo06.s02.sjc01.qualys.com and in .$02.sjc01.qualys.com or any of its 
subdomains will be in scope. For example, links like these will be in scope: https://demo06.s02.sjc01.qualys.com/support/, 
https://demo06.s02.sjc01.qualys.com:8080/logout/, https://s02.sjc01.qualys.com/images/ and 
https://videos.s02.sjc01.qualys.com. Any link whose domain does not match the web application URL hostname or is not a 


subdomain of .s02.sjc01.qualys.com will not be in scope. This means, for example, https://videos.qualys.com will not be 
included. 


Scope - Limit to URL hostname and specified domains 


We can crawl the starting URL, and the additional domains 


Target Definition (*) REQUIRED FIELDS 


Web Application URL 
https:/ /demo06.s02.sjc01.qualys.com:443/ 


Crawl Scope* 
Limit to URL hostname and specified domains NA 


)2.sjc01.qualys.com 


Scope will be limited to the URL hostname https://demo06.s02.sjc01.qualys.com/, domains demo7.s02.sjc01.qualys.com and 
any other, using HTTP or HTTPS and any port. All links discovered in demo06.s02.sjc01.qualys.com, 
demo7.s02.sjc01.qualys.com and all other domains specified will be in scope. This means, for example, these links will be 
included: https://demo06.s02.sjc01.qualys.com/support/, https://demo06.s02.sjc01.qualys.com:8080/logout/ and 
https://demo7.s02.sjc01.qualys.com/images/. Links whose domain does not match web application URL hostname or one of 
the domains specified will not be in scope. For example, https://videos.qualys.com and 
https://cdn.demo7.s02.sjc01.qualys.com will not be included. 


Scanning 


Scan Types 


Discovery Scan 

* All links are determined 

* Authentication is maintained during the scan 

e Links with forms are set aside for vulnerability assessment 
Vulnerability Scan 

e Should happen after at least one Discovery Scan 


* Tests the web application for vulnerabilities 


Discovery Scan 


Discovery 


T. 


Scan begins at starting URL identified in the application definition 


Using the Scope Options identified in the application definition, the scan 
traverses links to discover pages and content 


Configuration data is collected from the target app and its host 


Vulnerability testing is not performed 


QID 150009 - Links Crawled 


QID 150009 


150009 Links Crawled 


= 
L | n ks C rawl e d Finding 4 963436* (2: 221 Web Application 2nd App 
Group Information Gathered Authentication Not Used 
CWE - 
OWASP - Detection Date 13 Feb 2017 12:05PM GMT 


lists all links ome - 
that have been Detals = 
crawl ed Results 


lv) Highlight changes from previous scan = 
ini 


Export. 


New - this link was not found in the previous scan 
| Modified - this result was found by the previous scan but its value was different 
Removed - this link was not found, but was reported in the previous scan 


Duration of crawl phase (seconds): 566.00 
Number re i: 32 
(This number excludes form requests and links re-requested during authentication.) 


https://demo06.s02.sjc01.qualys.com/ 
https://demo06.s02.sjc01.qualys.com/?account=business 
https: //demo06.s02.sjc01.qualys.com/?account=checking&ID=1 
https: //demo06.802.sjc01.qualys.com/?ac - : 
https://demo06.s02.sjc01.qualys.com/?account=personal 
https: //demo06.s02.8}c01.qualys.com/?account=profiles1D=1 
https: //demo06.s02.sjc01.qualys.com/?account=savingsé&: 
https://demo06.s02.8jc01.qualys.com/boq/ 
https://demo06.802.81ic01.qualys.com/boa/aboutus.html 


Web Application Sitemap 


View Web Application or 
Scan Sitemap To: 


e View Pages Crawled and 
Vulnerability Statistics 

* Create New Web Apps 

e Add URLs to Black List 

* Add URLs to White List 


Web Application Sitemap: Catalog Web Application: demo06.s02.sjc01.qualys.com, Port 443 


Use the filters below to alter list view for this application sitemap. 


Page view filters Q Crawied 28 @ Rejected 1 E. External 2 lll vulnerabilities 44 | Sensitive Contents 0 
Link in view: 
» demo06.s02.sjc01.qualys.com:443 Download web app links 
tries Er 20° 
[ a 
— Link Link Info. Children Info. Folder Information 
[17 
ider: 
O admi https://demo06.s02.sjc01.qualys.com:443/boq/ 
n tus: Crawled 
4| Ell boq Vulnerabilties: 1 
Create Web " Sensitive Content: 0 
Bic Add To Black List 
Add To White Li 
O includes : — — Children Information 
E DI phpMyAdmin 


c ?account=business © 


e B ?account=personal o 


Pages Crawled Vulnerabilities 
24 26 


Assessment Details 


Total Vulnerabilities 


Bi 9 Level 1 
Crawling Details 


Lab 3, 4 and 5 


Please follow pages 5 — 14 from the Lab Tutorial 
Supplement 


Lab Supplement - https://bit.ly/qsc2021-was 


Lab 3 — Create Application 1 
Lab 4 — Create Application 2 
Lab 5 — Scheduled Scans 


20 min. 


Advanced Application Setup and Scanning 


Option Profile - Crawling 


Crawl stops when: 
e Max number of links threshold is met 


Maximum crawl requests (the total number of links and forms to follow )* 
8000 


e No new links are discovered 


e Scan time-out is reached | cancel scan after 
after 2 > hours 


Modify Form submission for GET, POST, 
GET&POST, None 


Change User agent 

Create Parameter sets 
Ignore common binary files 
SmartScan Support 


Change Behavior and Performance 
settings 


Modify Bruteforcing settings 


Option Profile — Scan Parameters 


Please define how the scan will perform 


General Settings (') REQUIRED FIELDS! 


E 
Behavior Setting: 

© Timeout Error Threshold 00 
© Unexpected Error Threshold 00 


Bruteforcing Settings 
© Use password bruteforcing 


User list 


© System list Minimal 


Option Profile — Enhanced Crawling 


Crawling Options 
Enhanced Crawling 


When enabled we will attempt to load and render individual directories. If unique content is found, we'll begin crawling 
from there to improve scan coverage. 


* Improves scan coverage by re-crawling individual directories 
present in the links found during crawling 


* Uses a directory chopping approach 


Option Profile — Enhanced Crawling 


e Starting URL - https://www.example.com/foo/abc/xyz/register.php 
* First request — https://www.example.com/foo/abc/xyz 
e Then crawl - https://www.example.com/foo/abc 


e Then crawl - https://www.example.com/foo 


Option Profile - SmartScan 


* Used for enhanced AJAX or Single Page Applications (SPA) 
e Supports sites using AngularJS and bootstrap 


e View QID 150148 to see links crawled - this will be your hint to 
verify SmartScan is working 


SmartScan Support 
When enabled we'll perform advanced scanning, using enhanced AJAX/SPA deep crawling and vulnerability testing, 


for a number of actions per page. This option is recommended for scanning sites with advanced frameworks and 
technologies. 


Enable SmartScan Support 


You can customize the number of actions that can be tested per page. Note the higher the number you set, the longer 
the scan duration. 


SmartScan Depth* 5 


Option Profile — Behavior Settings 


Timeout Error: Network connectivity or someone reboots 
a server 


Unexpected Error: Web app returning 500/Internal 
Server Errors 


If a threshold is met, your scan will give you a "Service 
Errors Detected" status 


Behavior Settings 


These settings define the threshold to be reached before stopping the scan. If you deactivate these settings, the scan 
will keep running no matter how many errors it will find 


Timeout Error Threshold 100 


Unexpected Error Threshold 300 


Option Profile — Keyword URL Search 


e Search for URL links that contain specific keywords 
* Keywords are searched in internal links during Discovery/Vulnerability scan 


e Links containing the specified keyword are shown under QID 150141 


Keyword URL Search 
Keyword Search 


customer 


Specify strings or regular expressions to search for keywords in URLs. You may enter up to 10 keywords. Each keyword must be a 
minimum of 5 characters or a maximum of 200. Enter each keyword on a new line. 


Option Profile — Bruteforcing 


e Performed when Form Authentication is used 
* Make sure you include QID 150049 


* Use Qualys list or import your own 


Bruteforcing Settings 


Use password bruteforcing 


User list 
© System list Minimal 


Web Application - Explicit URLs to Crawl 


Specify URLs you 
want the service to 
crawl 


Useful for pages not 
linked to other pages 
in the application 


Edit Mode 

Asset Details 

Scan Settings 

Crawl Settings 
Redundant Links 
Authentication 

Crawl Exclusion Lists 
Advanced Options 
Malware Monitoring 
Comments 


Action Log 


Tell us about the web application you want to scan 


Target Definition (*) REQUIRED FIELDS 


Web Application URL 
https: / /demo06.s02.sjc01.qualys.com:443/ 


Crawl Scope* 


Limit at or below URL hostname (demo06.s02.sjc01.qualys.coi Y 


Scope will be limited to the hostname within the URL: https://demo06.s02.sjc01.qualys.com/, using HTTP or HTTPS and any 
port. All links discovered on the demo06.s02.sjc01.qualys.com domain will be in scope. For example, all links discovered in 
https://demo06.s02.sjc01.qualys.com/support/ and https://demo06.s02.sjc01.qualys.com:8080/logout/ will be in scope. 
Links outside the demo06.s02.sjc01.qualys.com domain are not in scope.This means, for example, links like 
https://demo06.s02.sjc012.qualys.com and https://cdn.demo06.s02.sjc01.qualys.com will not be in scope 


Explicit URLs to Crawl / REST Paths and Parameters / SOAP WSDL Location 


https:/ /demo06.s02.sjc01.qualys.com/aade3aEfjafae.htm 
https: / /demo06.s02.sjc01.qualys.com/webservices/wsdl 


Non-linked URLs 


Burp Log File 
or 
You have the on to upload a Bu with you Once i 
reate requests and then craw os ce Web Services 
© Upload Burp Log File (must be consistent with 


selected scope) 


Web Application - Progressive Scanning 


Traditional Web Application Scan 


3 hrs. 


Final Results 


Progressive 
Scan 3 


Progressive 
Scan 1 


Progressive 


Scan 2 


hr. 


1 hr. 


1 hr. 


Works best with Frequently Scheduled Scans 


Web Application - Progressive Scanning 


* Performs 'look back at previous scans 

* Prioritizes pages not previously crawled 

* Prioritizes new functionality 

* Includes vulnerable pages detected previously 


e Enhances flexibility in scheduling 


Web Application - Redundant Links 


opecify fully customizable patterns of redundant links so that 
the scan may not spend time crawling the similar links. 


Web Application Edit: My First App Tum help tips: On | Off Launch help 
Edit Mode Specify redundant links in your web application 

Asset Details Redundant Links (*) REQUIRED FIELI 

Specify links in the web applications for which contents are the same and because of which scan may spend too muct 
Application Details time crawling and assessing these URLs. Links shall be specified as regular expressions so that you can specify an 
pression to mat a list of links 

Scan Settings http://www.myshop.com/products/prod [1-10].html 

DNS Override 

Crawl Settings 

Redundant Links 

Authentication 


Crawl Exclusion Lists 


Specify the number of instances to be tested for each link identified by above regular expressions 
re Monitoring F y 


Max. Links to Crawl* 5 
Comments 


Web Application - Authentication 


Form Records 

e Standard Login 

e Custom 

e Selenium Script / Qualys Browser Recorder 


Server Records 
e Basic 

* Digest 

e NTLM 


Manage Authentication Records 


[=] Web Application Management Web Applications Detections Catalog Maps 


Tags © Authentication Record for Bodgeit Store Em x 
^ ^| @ Auth Record for SpringTime Share a sin gle Save As 3 
" . Find... n 
Quick Filters ™ () authentication record for app1 authentication — 3 
m ® ami record with multiple 
My Records ] admin b «eee Add Tags s 
Sen (& 800 Authentication 1 aa rn tcl Remove Tags 1 
Set As Default ING 
(& 800 Auth record nap 
Configuration Delete 


The Authentication tab provides a convenient place for managing both Form 
and Server authentication records. 


Exclusions 


White list 
- Crawl specific directories or pages (within application scope). 
- Content outside of ‘white-list’ is black-listed by default. 
- Target a specific area of modified/updated code. 


Black list 
- Prevent WAS from crawling sensitive or protected locations. 


Post Data Black List 
- Prevent WAS from posting HTTP forms on sensitive pages (i.e., 
Contact Us page). 


Logout Regular Expression 
- WAS scanner will not crawl to specified 'logout' links. 


Advanced Options - DNS Override 


PRODUCTION 2 


www.yourwebapp.com: 64.39.106.249 


64.39.106.249 
QUALYS CLOUD PLATFORM 


ZA M 
ei um 
mU, — m 
min fg) mys 
am Jj i 
= EN 


External Scanner Pool 
] 


64.39.106.246 


DNS Override Settings 


DNS Ove rride: New DNS Override Settings Ls pure pm 
Step 2 of 3 Tell us the DNS settings you'd like to use 
* Configure if DNS not yet ! Basienformation v DNS Mappings 
configured for your app that’s © won. ee 


3 Comments 


currently in Dev or QA 


10.0.0.15 


e Tag to manage assignment of 
DNS Override 


Web Application - Form Training 


* This is a way for us to tell WAS what data to submit in a form, to follow a 
certain workflow. 


e Similar to how Qualys Recorder works. Works with just about any 
browser. 


Edit Mode Advanced Options 

Asset Details Default DNS Override C) REQUIRED PFERDE 
Select one or more DNS override records with mappings you'd like to use by default when scanning this web application 

Application Details 


Scan Settings 
Records Please select a DNS override record <> v. Create 
Crawl Settings 
No DNS override records have been selected 


Redundant Links Form Training 


Authentication Provide a list of form field values to be used for submitting HTML Forms during crawling 


Crawl Exclusion Lists © Add Form 


Advanced Options 


Web Application - Path Fuzzing 


Use case: For testing sites that use URL re-writing (asp.net MVC) 


Example: Let us consider sports web page 
http://www.abc.com/issue/1 7/section/sports/article/28 


However, the web server will read this URL as 
http://www.abc.com/search.php?issue=17&section=sports&article=28 


The path fuzzing rule would be: 
http://www.abc.com/issue/{issue}/section/{section}/article/{article} 


No Web Service 


The scan will give "No Web Service" status if the scanner: 
e Cannot get a DNS lookup on the site 


e Cannot reach the target because of routing 


e Cannot get a web service to respond to a GET request 


API Testing 


APIs 


* Provide a way for machine-to-machine communication 


* Popular ones includes: 
* Representational State Transfer (REST) APIs 
« Simple Object Access Protocol (SOAP) APIs 


e APIs use HTTP and are vulnerable to many of the same 
attacks as web applications 


Qualys Support for SOAP APIs 


e Supports basic security testing of SOAP based web services that 
have a Web Service Description Language (WSDL) file within the 
scope of the scan 


e WAS uses the WSDL file to identify the web service methods and 
parameters supported 


* WAS will attempt to perform XSS and SQL injection of the web 
services 


Qualys Support for REST APIs 


e RESTful web services can be exposed using files such as WADL 
(Web application description language), Swagger, or using proxy 
capture of the REST API client 


* Qualys WAS captures the REST requests via an uploaded proxy 
capture of the REST API client 


* Once the endpoints have been discovered, they can be tested for 
vulnerabilities 


Qualys Support for openAPI (REST) 


* Qualys WAS supports Swagger version 2.0 in JSON 
format 


e If the Swagger file is available and successfully parsed, 
the APIs will be automatically tested for security flaws 


Qualys Support for openAPI (REST) 


Web Application Creation Turn help tips: On | Off Launchhelp % 
Step 1 of 11 Tell us about the asset you want to scan 
@ Asset Details %9 Definition (*) REQUIRED FIELDS 
2 Application Details ¥ Let's start with some basic information. 
Name* 
3 _ Scan Settings Example Website 


Crawl Settings Target Definition 


Redundant Links Web Application URL (or Swagger file URL)* 
& https:// www.example.com/swagger.json « 
Authentication For scanning Swagger-based REST APIs, the Web Application URL should point to the Swagger file. It is your responsibility to 


verify that you have permission to scan all web applications or APIs that you specify as scan targets. 


owagger and non-Swagger based APIs 


Web Application Creation Tum help tips: On | Off Launch help 
Step 2 of 11 Tell us about the web application you want to scan 
1 Asset Details v^ API Endpoint Definition (Swagger and non-Swagger based APIs) 


o Application Details Y (€) None 


O Postman Collection 
3 Scan Settings 
Upload a valid Postman Collection file for your API. We currently only support v2.0.0 and v2.1.0. for Postman 
1 Collection. Once uploaded, we will parse the file to create requests and then crawl and test those request 
4 Crawl Settings 


© Upload Postman Collection File (Mandatory) 
Redundant Links © Upload Postman Environment Variables File (Optional) 


aon 


© Upload Postman Global Variables File (Optional) 
6 Authentication O Burp Proxy Capture 


You have the option to upload a Burp Log File with your scan tests. Once uploaded we will parse it 


7 ; 
= Exclusions to create requests and then crawl and test those requests. 


co 


Advanced Options © Upload Burp Log File 


© Swagger/OpenAPI File 
9 Malware Monitoring 
You have the option to upload a Swagger/OpenAPI File for your API. We currently support version 
2.0 and 3.0. Once uploaded we will parse it to create requests and then crawl and test those 


10 Comments requests. 


11 Review And Confirm © Upload Swagger/OpenAPI File 


Lab 6, 7,8 and 9 


Please follow pages 15 — 21 from the Lab Tutorial 
Supplement 


Lab Supplement - https://bit.ly/qsc2021-was 


Lab 6 — Sitemap 

Lab 7 — Option Profile 
Lab 8 — QBR Script 1 

Lab 9 — QBR Script 2 


25 min. 


Reporting 


Dashboard 
Dashboard | Summary |. 


Tue 08 Aug 2017 All Vulnerabilities Severity Severity OWN Seventy Malware [SAFE] 
46 total ined web E 
4 with Malware Monitoring 1.23K 177 465 585 0 aetections Add Web Application 
==: MOST VULNERABLE WEB APPLICATIONS View All (79 CATALOG View All 
Web Application Name Last Scan Date Total Vulnerabilities High Med Low Severity Total 
Banking app 08 Aug 2017 48 9 14 25 KA 52 
2 Rogue 
Bank of 03 Nov 2016 47 9 14 24 G 
Quas | : 
v d dis 4 Ignored 
First snow app 03 Nov 2016 46 8 18 — 20 2 In Subscription 
wobex 04 Jun 2014 4 6 21 14 
20 aug app 03 Nov 2016 35 6 13 16 
pIS4.243.54.81 Catalog 
houston app 22 Apr 2014 31 6 11 14 HIGH 
App 1 - Demo - Mission 25 Apr 2017 36 6 14 16 
== YOUR LAST SCANS View Al ==: YOUR UPCOMING SCANS ViewAll ==: LATEST REPORTS View All 
Scan 
Scan Name Status Severity Task Name Occurs Next Date [| Worst Vuins 
Date 08 Aug 2017 
Web Application Vulnerabilty Scan - ... =? 2" Submitted - Web Application Vulnerability Scan-Bankngapp-.. | Weekly 15Aug2017 
Web Application Vulnerability Scan - a ped Finished View Reports 


WAS Reporting 


* Results listed by 
vulnerability, link, type, 
app . 

¢ Redundant results are . í 


condensed to a base 
cause 


e Create Templates to save E H 
report formats | 


* Fourreport types 


« Schedule Reports to run 
when you need them 


Web Application Report 


e Normalized data of all Wines De o Á 
scans on the web SEE uaig ( Retest, ignore, patch ) 


Install Patch Ignore Retest ET 


a . URL: http://54.84 
application SA mme <a HERRE 
Patch # - Authentication Not Used 
Group Cross-Site Scripting 
e C h O O S e ta CWE CWE-79 First Time Detected 03 Nov 2016 11:55AM GMT-0500 
g S O r OWASP A3 Cross-Site Scripting (XSS) Last Time Detected 03 Nov 2016 11:55AM GMT-0500 


WASC WASC-8 Cross-Site Scripting Last Time Tested 03 Nov 2016 11:55AM GMT-0500 


a p p | i cati O n S fo r re p O rt CV96 Base 43 CVSS Temporal 4.3 Times Detected 3 View History 


ta rg ets Details Vulnerable Show 
parameter 
Detection Information 


e Vu | n e ra b | | ity Statu S Parameter : It has been detected by exploiting the parameter q of the form located in URL http: //54.84.232.118:8080/bodgeit 


/search.jsp 
The payloads section will display a list of tests that show how the param could have been exploited to collect the information 


included (New, Active, | Sun nn TS 
Re-opened, Fixed) 


Payloads Payload, Request, ODOT 


e History of vulnerability | * — 


q=t ript#%20src#3Dht ee hei 
GET p" tp ://54. 4. 232.118:8080/bodqeit/search.jsp?q*13Cscripti20srci3Dhttpi3A12Fi12Flocalhosti2Fj120 


* Retest for vulnerability 


Scan Report 


e Raw Scan Results 


* Pick the specific scan 
results you'd like to 
view in a report 


* View Threat, Impact, 
and Solution for 
vulnerabilities 


Scan Report 


Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution. 


Scans 
Web Application 


Remediation 


Summary 


Findings by Severity 


Web Application Vulnerability Scan - Banking app - 2017-08-08 Run #1 
Banking app 


Include ignored findings, Include patched findings 


Vul: 


Scorecard Report 


e Statistics on all 
applications tagged in 
Ul 

* [op 10 most vulnerable 
applications 


e OWASP breakdowns 


OWASP Top 10 2013 Vulnerabilities 
Injection 
Broken Authentication and Session Management 
Cross-Site Scripting (XSS) 
Insecure Direct Object References 
Security Misconfiguration 


Sensitive Data Exposure 

Missing Function Level Access Control 
Cross-Site Request Forgery (CSRF) 

Using Components with Known Vulnerabilities 
Unvalidated Redirects and Forwards 


Top 10 Vulnerable Web Applications 
Banking app 
Bank of Qualys 
First snow app 


Catalog Report 


* Lists web apps as 
New, Approved, 
Rogue, or Ignored 


¢ Number of entries 
added over time 


e Number of entries 
by status 


Catalog report 

Web applications are listed with the total nui 
Status New, Rogue, Approved, Ignored 

Summary 


Number of Entries by Status 


* New (43) 
IP Address Port FQDN 
- 80 qualys.com 
2.168.1.1 44 = 
168.1.156 080 centos6.lab.home 


Report Management 


e Create, download, 
run reports 


Filter by tag, 
type, format, 
status, 
generation date, 
download date 


e Filter existing - 
reports == 

e Add tags to eno 
reports ^m 


Error 
Generation Date Preview 
Worst Vulns 
Type: Web Application Report 
Last Download Date Generated by MANAGER Nick (quays2nd2) | 08 Aug 2017 1 


Format: Web Archive (HTML) 
Template: Worst Vulns 
Tags: - 


QID 150021 - Scan Diagnostics 


150021 Scan Diagnostics 


963158* (229849934) Web Application My First App 


The scan Md stand 
diagnostics data Detection Date 14 Fob 2017 12:54PM GUT 
provides technical 
details about the 
crawler's 

performance and e eser en mr ts we pets so 


h E n Modified - this result was found by the previous scan but its value was different 
be avior. E Removed - this link was not found, but was reported in the previous scan 


First column indicates HTTP response code, 


Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 18 requests, 1 seconds. Completed 18 


QID 150100 - Selenium Diagnostics 


en 150100 Selenium Diagnostics 
Tro u b | es h oot Finding # 1190291* (248241167 Web Application My First App 
H T Group Information Gathered Authentication Not Used 
Selenium script C f 
OWASP - Detection Date 04 Oct 2017 1:47PM GMT+0100 
WASC - 


See which parts of Detail 
the script ran 


Results 


@ Highlight changes from previous scan 


. New - this link was not found in the previous scan 
. Modified - this result was found by the previous scan but its value was different 
~ Removed - this link was not found, but was reported in the previous scan 


Log for Selenium script: crawlscript 

Executing: |open | http://34.201.91.241:8080/bodgeit/basket.jsp | | 
Executing: |clickAndWait | link-Widgets | | 

Executing: |clickAndWait | link=Weird Widget | | 

Executing: |clickAndWait | id=submit | | 


Lab 10 and 11 


Please follow page 22 from the Lab Tutorial Supplement 


Lab Supplement - https://bit.ly/qsc2021-was 


15 min. 


Lab 10 — Web App Report 
Lab 11 — Scan Report 


Tags and Users 


Tag Management 


Add and remove tags to: 


* Users 
«{ WebApps 
e Web Applications 
i Production 
* Reports 


E-Com A 
* Option Profiles | —— 


* Brute Force Lists 

e Search Lists 

e Scanners 

e Parameter Sets 

* Authentication Records 


| Development 


H Decommissioned 


User Roles 


e User roles provide privileges 
to access tagged assets 


e Set granular permissions 


e Grant QA or Developers 
access 


User Edit: SCANNER Egon (quays2eb11) 


Edit Mode Edit role(s) and scope 


User Details Allow user full permissions and scope [fhe 
ach role grants you a set o 


Profile Settings 

New role 
Roles And Scopes 

Assigned roles 
Action Log WAS MANAGER 
Account Activity 

User roles 
Edit Scope 


D SSi 


Global Scope 


( Development 


user will have full access to everything) 


permissions that will apply to the objects you have access to. 


e User ca 


( Production 


Remove all ^ 


1 WebApps 


Remove 


Unassigned roles 


READER 

UNIT MANAGER 
WAF Manager 
WAS SCANNER 


WAS IISFR 


Allow user view access to all objects [Dther permissions are granted by the user's roles) 


access Dy tags. 


Use tags on what 
the user should 
have access to 


Turn help tips: On | Off x 


Add all * 


Select | Create | Remove All 


Save 


Customize a role 


Remove 


WYST Web Application Scanning 


> WAS Asset Permissions (8 of 8) 
» Scanner Appliance Permissions (1 of 1) 
Y WAS Scan Permissions (3 of 3) 

Launch WAS Scan 

Cancel WAS Scan 


Delete WAS Scan 


> WAS Schedule Permissions (3 of 3) 

» WAS Configuration Permissions (22 of 22) 

» WAS Catalog Permissions (4 of 4) 

» WAS Burp Permissions (7 of 7) 

» WAS Remediation Permissions (3 of 3) 

» WAS Authentication Record Permissions (3 of 3) 


Lab 12 and 13 


Please follow pages 23 — 26 from the Lab Tutorial 
Supplement 


Lab Supplement - https://bit.ly/qsc21-was 


Direct Links: 
* Lab 12- Tagging 
e Lab 13 - Users 


15 min. 


Burp and Bugcrowd Integration 


WAS Integration 


Centralized location for 
vulnerability details. 


Dashboard Web Applications 


‘= Detection Management 


Search Results 


a Filter Results 


Finding 


Finding Type 


^1 9 Qualys 
^] H Burp 
^19 Bugcrowd 


Canflemad VM sim mnlniliins I arat 


Scans | Detections [Reports Configuration 
Detection List Burp Bugcrowd 
wr 
|_| Status QID Name 

Fixed 150019 (9 Browser-Specific Cross-Site Scripting Vulnerabilities 
http://54.84.232.118:8080/bodgeit/search.jsp 

Fixed 150012 © Blind SQL Injection 
http://54.84.232.118:8080/bodgeit/basket jsp 

Active 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities 


https://demo06.s02.sjc01.qualys.com/boq/parseAction.php 


Fixed 150012 (9 Blind SQL injection 
http://54.84.232.118:8080/bodgeit/login.jsp 


Fixed 150012 (9 Blind SQL Injection 
http://192.168.0.29:8080/bodgeit/basket.jsp 


Active 150012 (9 Blind SQL Injection 


https://demo06.s02.sjc01.qualys.com/?account=checking&ID=1 


Active 150003 (9 SQL Injection 


https://demo06.s02.sjc01.qualys.com/?accountschecking&ID- 1 


Active 150001 (8 Reflected Cross-Site Scripting (XSS) Vulnerabilities 


https://demo06.s02.sjc01.qualys.com/?accountzchecking&IDz 1 


KnowledgeBase 


Burp Suite Professional Integration 


Burp Intruder Repeater Window Help 


Scanner Intruder | Repeater | Sequencer Comparer 


Site map | Score ] — z 7 
: Dashboard Web Applications Scans Detections Reports Configuration KnowledgeBase 
Iter: Hiding 


Fi not 


e== Detection Management 


ca 


Detection List Burp Bugcrowd 


Status * QID Name Group Last Detected Age Patch Severity 
nttp://34.201.91.241:BUBU/Dodgeit/contact.sp 
a Filter Results Clear All 
= Active Password field with autocomplete enabled - 
'arget 
rg http://34.201.91.241:8080/bodgeit/register.jsp 
ned eene - E HTML does not specify charset - 
http://34.201.91.241:8080/bodgeit/search.jsp 
-= HTML does not specify charset - 
Tags http://34.201.91.241:8080/bodgeit/score.jsp 
v New E Cleartext submission of password - 
http://54.243.54.81:8080/bodgeit/register.jsp 
Last S Date 
om [7] New Cookie without HttpOnly flag set = 
http://54.243.54.81:8080/bodgeit/home.jsp 
[7] - Ki Frameable response (potential Clickjacking) - 
Finding > 
http://54.243.54.81:8080/bodgeit/admin jsp 
cT = El HTML does not specify charset = 
^1 9 Qualys http://54.243.54.81:8080/bodgeit/basket jsp 
Burp A- EI HTML does not specify charset - 


~| ® Bugerowd 1154.243.54.81:8080/bodgeit/login.jsp 


v 


| (2) Lt) et) Lo] Type a search re 0 matches 


Bugcrowd Integration 


* Qualys WAS and © ovo. 
Bugcrowd can now CET RES m M 
bi-directionally import — 
and export findings ‘ESSE coum wre 


)ashboard Web Appi abons Scans Detections Reports Confqurabon KnowledgeBase 


Group Last Detected Age Paich Severity 
ltt. W hetec Crone San Scire 1215) ersten anasu 
Tags 

Ne W eteco Crone Sao Senetrg (CSS) inermes BENEN 
* 
Lost Seen Ooto New Y Metered Crone Sam erging 035) “ineratanes x58 rTTT] 
EM, ^— g- sen" "- saam 
twang 
o Non O mm Dl 
4 Y asn 
B evo AA nan tendi ata — 
+ O aroos Proview ames v 
L aires Votes pay Level EBENEN s00 
Ned Apple mon bugcroed tet opo Sistas New 
“I #ı 4% 
= <r BINDEND IA tee Prst Cenected -—— — 
Potential Valves abébty Level . ISEC 21 Apr 2017 21 Apr 2017 1 
b State Rf SOLVEE 
' 3 4 $ wr piste com weet 


Web Malware Detection 


Malware Detection 
1. Enter URL 


2. MDS does a breadth crawl URL 
3. MDS runs both behavioral and 


l static analysis. 


4. Qualys will email user if Malware 


: z is found. 
Malware Detection Service 


Ta nüqeahyvcom 
Sebjecr ALERT! Qualys Found Malware On Your Website 


Ova) mt 
The OuasyyL53a78 Malware Ontection Service has kanted malware on your wtr 
Referer 


* 
se QCOM pany Ostre Store 
ML DT. LOW ATES EIO amare SMS Samed asc Nub mi 


Qualys Virtual — 


Machine Farm 


Malware Detection 


Web Application Scanning 


Dashboard WebApplications Scans Burp Reports Configuration KnowledgeBase 


Dashboard | All Vulnerabilities | Severity EJ Severity (OW Seventy Malware [SAFE] 
" | | 
Fri 26 Sep 2014 645 | 94 243 308 0 detections 


24 total scanned web apps | 
0 with Malware Monitoring 


Dashboard WebApplications Scans Burp Reports Configuration KnowledgeBase 


[E] Web Application Management Web Applications Detections Catalog Maps 


Actions w | New Web Appicabon impon | New Scan w | | New Schedule w 


| Name “Pages — wVulns Severity | MDS Severity 7 Updated 


My First app 3 SAFE) 15 May 2013 


tip. 154 243 54 81:8080/bodgetogin jp 


Lab 14 


Please follow page 27 from the Lab Tutorial Supplement 


Lab Supplement - https://bit.ly/qsc2021-was 


5 min. 


Lab 14 — Burp Integration 


Course Survey 


Qualys. 


Thank You 


training@qualys.com 


